Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: upgrade x/crypto for CVE-2024-45337 #270

Closed
wants to merge 1 commit into from
Closed

Fix: upgrade x/crypto for CVE-2024-45337 #270

wants to merge 1 commit into from
+33 −5

Conversation

honzap
Copy link

@honzap honzap commented Feb 5, 2025
edited
Loading

Upgrading x/crypto lib due to CVE-2024-45337 found in version < 0.31.0

go mod graph says that module github.com/cloudflare/circl is also using the x/crypto but it'd require upgrade of go version and a lot of other indirect dependencies are updated, so I don't want to touch it.

@twiss
Copy link
Member

twiss commented Feb 10, 2025

Thanks for the PR! It seems we also need to drop support for older Go versions in order to upgrade here. I can investigate whether that's possible. However, we don't use the SSH functionality from x/crypto in this repository, so I don't believe we're actually vulnerable to the mentioned CVE.

@honzap
Copy link
Author

honzap commented Feb 12, 2025

ok, so, I'll close it for now and feel free to investigate the Go version upgrade. My intention was in general to update that x/crypto lib to satisfy security CI tools which detects the old version dependency regardless of usage the functionality or not.

@honzap honzap closed this Feb 12, 2025
@honzap honzap deleted the fix/cryptodepvuln branch February 12, 2025 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@honzap @twiss